Dynamic command extension for a memory sub-system

ABSTRACT

A processing device is configured to process an initial set of command types. A command extension module and a digital signature are received. The digital signature is generated based on the command extension module using a private key of a key pair. The command extension module, once installed by the processing device, enables the processing device to process a new command type that is not included in the initial set of command types. The digital signature is verified using a public key of the key pair. Based on a successful verification of the digital signature, the command extension module is temporarily installed by loading the command extension module in a volatile memory device.

TECHNICAL FIELD

Embodiments of the disclosure relate generally to memory sub-systems andmore specifically to dynamic extension of memory sub-system commands.

BACKGROUND

A memory sub-system can include one or more memory devices that storedata. The memory devices can be, for example, non-volatile memorydevices and volatile memory devices. In general, a host system canutilize a memory sub-system to store data at the memory devices and toretrieve data from the memory devices.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure will be understood more fully from the detaileddescription given below and from the accompanying drawings of variousembodiments of the disclosure.

FIG. 1 illustrates an example computing environment that includes amemory sub-system, in accordance with some embodiments of the presentdisclosure.

FIGS. 2A-2C are data flow diagrams illustrating interactions betweencomponents in a secure communication environment in performing anexample method for dynamic extension of memory sub-system commands, inaccordance with some embodiments of the present disclosure.

FIGS. 3 and 4 are flow diagrams illustrating an example method fordynamic extension of memory sub-system commands, in accordance with someembodiments of the present disclosure.

FIG. 5 is a block diagram of an example computer system in whichembodiments of the present disclosure may operate.

DETAILED DESCRIPTION

Aspects of the present disclosure are directed to secure commandextension in a memory sub-system. A memory sub-system can be a storagedevice, a memory module, or a hybrid of a storage device and memorymodule. Examples of storage devices and memory modules are describedbelow in conjunction with FIG. 1. In general, a host system can utilizea memory sub-system that includes one or more components, such as memorydevices that store data. The host system can provide data to be storedat the memory sub-system and can request data to be retrieved from thememory sub-system.

A memory sub-system controller typically receives commands or operationsfrom the host system and converts the commands or operations intoinstructions or appropriate commands to achieve desired access to memorycomponents of the memory sub-system. Typically, a memory sub-system isinitially configured with firmware capable of supporting a set ofcommand types that enable certain functionality with respect to thememory sub-system. In some instances, these command types include vendorspecific command types that enable functionality that may be specific toa vendor's system configurations or processes. However, each commandtype can provide an attack vector that can be exploited to gainunauthorized access to data stored by the memory sub-system. Further,certain vendor specific commands may create security vulnerabilitiesthat may be exploited to gain unauthorized access.

Memory sub-system firmware is normally validated by the memorysub-system before being installed to ensure that the firmware originatedfrom a trusted source. As an example, a public key of an asymmetric keypair may be provisioned to a memory sub-system by an original equipmentmanufacturer (OEM) prior to shipment while a corresponding private keyis secured by a hardware security module (HSM) of a secure system (e.g.,operated the OEM) that is external to and independent of the memorysub-system. Firmware is digitally signed by the private key to establisha root of trust and the corresponding public key is used by the memorysub-system to validate the digital signature before installation.

In some instances, it may be desired to extend the functionality of thememory sub-system beyond that enabled by the set of command types thatthe memory sub-system firmware is initially capable of supporting. Thatis, it may be desirable to enable a memory sub-system to processadditional command types that were not included in the original set ofcommand types that the original memory sub-system firmware is capable ofprocessing. In an example, it may be desired to initially configure amemory sub-system without any vendor specific commands to reduce theattack vectors for the system and later add capability to the system toprocess vendor specific commands. As another example, it may be desiredto temporarily provide certain functionality to debug the memorysub-system.

Conventional techniques for command extension in memory sub-systemsrequire downloading an updated firmware file that includes functionalityto handle the additional commands and the memory sub-system must alsorevalidate the updated firmware file before installing. An updatedfirmware file may, however, be large, and the download and revalidationmay consume large amounts of time and memory resources.

Aspects of the present disclosure address the above and other issueswith systems and methods for dynamic memory sub-system commandextension. The command extension is dynamic in that functionality toprocess additional commands may be temporarily added to a memorysub-system without requiring an entirely new firmware package to beinstalled and without requiring the firmware to be reevaluated as withthe conventional methods for command extension discussed above.

Consistent with some embodiments, a command processing component iscapable of adding functionality to the memory sub-system to processcommand types that the memory sub-system is not initially capable ofprocessing. To extend the commands of the memory sub-system, the hostsystem may provide a command extension module to the memory sub-systemrather than an entire firmware package that must also be reverified.Consistent with some embodiments, the command extension module itselfmay be subject to some form of access control to ensure secure accessand prevent unauthorized access. For example, a command extension modulemay be password protected and the host system may be required to providethe password to be able to download the command extension module. Thecommand extension module is provided with a digital signature that isverified by the command processing component before temporarilyinstalling the command extension module on the controller. A commandreceived by the command processing component that corresponds to acommand type processed by the command extension module is forwarded tothe command extension module and the command extension module processesthe command. The command extension module is only temporarily installedin that it is loaded to a volatile memory device and as such is lostupon reboot of the system or expiration of a time to live (TTL) valueassociated with the command extension module.

The techniques for dynamic command extension described above reducevulnerabilities in a memory sub-system by eliminating a need forfirmware to process vendor specific command types or those whose needwas not recognized at the time of creating the firmware. Moreover, sucha manner of dynamic command extension allows for firmware to be able toprocess only a limited set of command types given that functionality toprocess additional claim types can be added at a later time. Reducingthe number of command types also reduces the number of attack vectorsthat may be used to gain unauthorized access to memory sub-systemsthereby providing an additional security benefit.

FIG. 1 illustrates an example computing system 100 that includes amemory sub-system 110, in accordance with some embodiments of thepresent disclosure. The memory sub-system 110 can include media, such asone or more volatile memory devices (e.g., memory device 140), one ormore non-volatile memory devices (e.g., memory device 130), or acombination of such.

A memory sub-system 110 can be a storage device, a memory module, or ahybrid of a storage device and memory module. Examples of a storagedevice include a solid-state drive (SSD), a flash drive, a universalserial bus (USB) flash drive, an embedded Multi-Media Controller (eMMC)drive, a Universal Flash Storage (UFS) drive, a secure digital (SD)card, and a hard disk drive (HDD). Examples of memory modules include adual in-line memory module (DIMM), a small outline DIMM (SO-DIMM), andvarious types of non-volatile dual in-line memory module (NVDIMM).

The computing system 100 can be a computing device such as a desktopcomputer, laptop computer, network server, mobile device, a vehicle(e.g., airplane, drone, train, automobile, or other conveyance),Internet of Things (IoT) enabled device, embedded computer (e.g., oneincluded in a vehicle, industrial equipment, or a networked commercialdevice), or such computing device that includes memory and a processingdevice.

The computing system 100 can include a host system 120 that is coupledto one or more memory sub-systems 110. In some embodiments, the hostsystem 120 is coupled to different types of memory sub-systems 110. FIG.1 illustrates one example of a host system 120 coupled to one memorysub-system 110. As used herein, “coupled to” or “coupled with” generallyrefers to a connection between components, which can be an indirectcommunicative connection or direct communicative connection (e.g.,without intervening components), whether wired or wireless, includingconnections such as electrical, optical, magnetic, and the like.

The host system 120 can include a processor chipset and a software stackexecuted by the processor chipset. The processor chipset can include oneor more cores, one or more caches, a memory controller (e.g., NVDIMMcontroller), and a storage protocol controller (e.g., PCIe controller,SATA controller). The host system 120 uses the memory sub-system 110,for example, to write data to the memory sub-system 110 and read datafrom the memory sub-system 110.

The host system 120 can be coupled to the memory sub-system 110 via aphysical host interface. Examples of a physical host interface include,but are not limited to, a serial advanced technology attachment (SATA)interface, a peripheral component interconnect express (PCIe) interface,universal serial bus (USB) interface. Fibre Channel, Serial AttachedSCSI (SAS), Small Computer System Interface (SCSI), a double data rate(DDR) memory bus, a dual in-line memory module (DIMM) interface (e.g.,DIMM socket interface that supports Double Data Rate (DDR)). Open NANDFlash Interface (ONFI), Double Data Rate (DDR), Low Power Double DataRate (LPDDR), or any other interface. The physical host interface can beused to transmit data between the host system 120 and the memorysub-system 110. The host system 120 can further utilize an NVM Express(NVMe) interface to access components (e.g., memory devices 130) whenthe memory sub-system 110 is coupled with the host system 120 by thePCIe interface. The physical host interface can provide an interface forpassing control, address, data, and other signals between the memorysub-system 110 and the host system 120. FIG. 1 illustrates a memorysub-system 110 as an example. In general, the host system 120 can accessmultiple memory sub-systems via a same communication connection,multiple separate communication connections, and/or a combination ofcommunication connections.

The memory devices 130, 140 can include any combination of the differenttypes of non-volatile memory devices and/or volatile memory devices. Thevolatile memory devices (e.g., memory device 140) can be, but are notlimited to, random access memory (RAM), such as dynamic random accessmemory (DRAM) and synchronous dynamic random access memory (SDRAM).

Some example of non-volatile memory devices (e.g., memory device 130)includes a negative-and (NAND) type flash memory and write-in-placememory, such as a three-dimensional cross-point (“3D cross-point”)memory device, which is a cross-point array of non-volatile memorycells. A cross-point array of non-volatile memory can perform bitstorage based on a change of bulk resistance, in conjunction with astackable cross-gridded data access array. Additionally, in contrast tomany flash-based memories, cross-point non-volatile memory can perform awrite in-place operation, where a non-volatile memory cell can beprogrammed without the non-volatile memory cell being previously erased.NAND type flash memory includes, for example, two-dimensional NAND (2DNAND) and three-dimensional NAND (3D NAND).

Each of the memory devices 130 can include one or more arrays of memorycells. Other types of memory cells, such as multi-level cells (MLCs),triple level cells (TLCs), and quad-level cells (QLCs), can storemultiple bits per cell. In some embodiments, each of the memory devices130 can include one or more arrays of memory cells such as SLCs, MLCs,TLCs, QLCs, or any combination of such. In some embodiments, aparticular memory device can include an SLC portion, and an MLC portion,a TLC portion, or a QLC portion of memory cells. The memory cells of thememory devices 130 can be grouped as pages that can refer to a logicalunit of the memory device used to store data. With some types of memory(e.g., NAND), pages can be grouped to form blocks.

Although non-volatile memory components such as NAND type flash memory(e.g., 2D NAND, 3D NAND) and 3D cross-point array of non-volatile memorycells are described, the memory device 130 can be based on any othertype of non-volatile memory, such as read-only memory (ROM), phasechange memory (PCM), self-selecting memory, other chalcogenide basedmemories, ferroelectric transistor random-access memory (FeTRAM),ferroelectric random access memory (FeRAM), magneto random access memory(MRAM), Spin Transfer Torque (STT)-MRAM, conductive bridging RAM(CBRAM), resistive random access memory (RRAM), oxide based RRAM(OxRAM), negative-or (NOR) flash memory, and electrically erasableprogrammable read-only memory (EEPROM).

A memory sub-system controller 115 (or controller 115 for simplicity)can communicate with the memory devices 130 to perform operations suchas reading data, writing data, or erasing data at the memory devices 130and other such operations. The memory sub-system controller 115 caninclude hardware such as one or more integrated circuits and/or discretecomponents, a buffer memory, or a combination thereof. The hardware caninclude digital circuitry with dedicated (i.e., hard-coded) logic toperform the operations described herein. The memory sub-systemcontroller 115 can be a microcontroller, special purpose logic circuitry(e.g., a field programmable gate array (FPGA), an application specificintegrated circuit (ASIC), etc.), or other suitable processor.

The memory sub-system controller 115 can include a processor 117 (e.g.,processing device) configured to execute instructions stored in a localmemory 119. In the illustrated example, the local memory 119 of thememory sub-system controller 115 includes an embedded memory configuredto store instructions for performing various processes, operations,logic flows, and routines that control operation of the memorysub-system 110, including handling communications between the memorysub-system 110 and the host system 120.

In some embodiments, the local memory 119 can include memory registersstoring memory pointers, fetched data, etc. The local memory 119 canalso include read-only memory (ROM) for storing micro-code. While theexample memory sub-system 110 in FIG. 1 has been illustrated asincluding the memory sub-system controller 115, in another embodiment ofthe present disclosure, a memory sub-system 110 does not include amemory sub-system controller 115, and can instead rely upon externalcontrol (e.g., provided by an external host, or by a processor orcontroller separate from the memory sub-system).

In general, the memory sub-system controller 115 can receive commands oroperations from the host system 120 and can convert the commands oroperations into instructions or appropriate commands to achieve thedesired access to the memory devices 130 and/or the memory device 140.The memory sub-system controller 115 can be responsible for otheroperations such as wear leveling operations, garbage collectionoperations, error detection and error-correcting code (ECC) operations,encryption operations, caching operations, and address translationsbetween a logical address (e.g., logical block address (LBA), namespace)and a physical address (e.g., physical block address) that areassociated with the memory devices 130. The memory sub-system controller115 can further include host interface circuitry to communicate with thehost system 120 via the physical host interface. The host interfacecircuitry can convert the commands received from the host system intocommand instructions to access the memory devices 130 and/or the memorydevice 140 as well as convert responses associated with the memorydevices 130 and/or the memory device 140 into information for the hostsystem 120.

The memory sub-system 110 can also include additional circuitry orcomponents that are not illustrated. In some embodiments, the memorysub-system 110 can include a cache or buffer (e.g., DRAM) and addresscircuitry (e.g., a row decoder and a column decoder) that can receive anaddress from the memory sub-system controller 115 and decode the addressto access the memory devices 130.

In some embodiments, the memory devices 130 include local mediacontrollers 135 that operate in conjunction with memory sub-systemcontroller 115 to execute operations on one or more memory cells of thememory devices 130. An external controller (e.g., memory sub-systemcontroller 115) can externally manage the memory device 130 (e.g.,perform media management operations on the memory device 130). In someembodiments, a memory device 130 is a managed memory device, which is araw memory device combined with a local controller (e.g., localcontroller 135) for media management within the same memory devicepackage. An example of a managed memory device is a managed NAND (MNAND)device.

A command processing component 113 of the controller 115 receives thecommands sent by the host system 120 via the physical host interface.The command processing component 113 may be included in the controller115 or any one or more of the memory devices 130 or 140. In someembodiments, the controller 115 includes at least a portion of thecommand processing component 113. For example, the controller 115 caninclude the processor 117 (processing device) configured to executeinstructions stored in the local memory 119 for performing theoperations described herein.

Initially the controller 115 may be configured (e.g., by manufacturerinstalled firmware) to be capable of processing only a limited set ofcommand types that are previously determined, for example, by amanufacturer of the controller 115. The command processing component 113of the controller is configured to allow for dynamic extension ofcommands. That is, the command processing component 113 is able to addfunctionality to the controller 115 to process additional command types.To extend the commands of the controller 115, the host system 120provides a command extension module to the controller 115. The commandextension module comprises a set of machine-readable instructions that,once installed, enable the controller 115 to process at least one newcommand type that is not included in the predetermined set of commandtypes that the command processing component 113 has enabled thecontroller 115 to process. The command extension module is provided witha digital signature that is verified by the command processing component113 before temporarily installing the command extension module on thecontroller 115. For example, the command processing component 113 mayload the command extension module into a volatile memory device (e.g.,the memory device 130). The installation of the command extension moduleis temporary in this way because the command extension module is lostupon a reboot of the memory sub-system 110. In some embodiments, thecommand extension module may be erased from memory based on expirationof a TTL value associated with the module.

If the command processing component 113 determines a command receivedfrom the host system 120 corresponds to a command type that theinstalled command extension module is configured to process, anextension redirect component 114 of the command processing component 113redirects (forwards) the command to the command extension module and thecommand extension module processes the command accordingly.

FIGS. 2A-2C are data flow diagrams illustrating interactions betweencomponents in a secure communication environment in performing anexample method for dynamic extension of memory sub-system commands, inaccordance with some embodiments of the present disclosure.

In the context of FIG. 2A-2C, an asymmetric encryption key pair—a publickey 200 and a private key 201—are pre-generated, and the commandprocessing component 113 may be provisioned with the public key 200,while the private key 201 is maintained in a separate secure environment(e.g., comprising one or more processors). The command processingcomponent 113 stores the public key 200 in a key store 202. The keystore 202 may be implemented within a non-volatile memory device of thecontroller 115 (e.g., local memory 119) or any one or more of the memorydevices 140.

As shown, the command processing component 113 may, in some embodiments,be included as part of validated firmware 203 installed on thecontroller 115. The firmware 203 includes a set of machine readableinstructions that may be executed by the controller 115 to perform anumber of functions. For example, the firmware 203 enables thecontroller 115 to process a set of predefined command types receivedfrom the host system 120. As noted above, the host system 120 may submitcommands to the controller 115 via the host interface of the controller115. Commands that correspond to one of the set of predefined commandtypes are processed by the command processing component 113. Thefirmware 203 is validated in that it has been digitally signed using theprivate key 201 and the digital signature has been verified by thecontroller 115 using the public key 200. For example, as shown, adigital signature 204 generated based on the firmware 203 using theprivate key 201 is provided with the firmware 203 and the controller 115validates the digital signature 204 using the public key 200.

To extend the capability of the controller 115 to process one or moreadditional commands, a user 205 of the host system 120 causes the hostsystem 120 to send a command extension request to the controller 115.The command extension request includes a command extension module 206and a digital signature 207. The command extension module 206 comprisesa set of machine-readable instructions that, once installed by thecontroller 115, enables the controller 115 to process at least one newcommand type that is not included in the set of predefined command typesthat the firmware 203 enables the controller 115 to process. The digitalsignature 207 is generated based on the command extension module 206using the private key 201. In some embodiments, a security version ofthe extension module 206 is included in the command extension request.For example, the security version may be specified in a field of theextension module 206 or otherwise in a field of the command extensionrequest.

The command processing component 113 receives the command extensionrequest and verifies the digital signature 207 to ensure that theextension module 206 has been provided by a trusted source. The commandprocessing component 113 uses the public key 200 to verify the digitalsignature 207. In an example, the digital signature 207 may be generatedby creating a first hash based on the extension module 206 and the firsthash may be encrypted using the private key 201 to produce the digitalsignature 207. To verify the digital signature 207, the commandprocessing component 113 generates a second hash based on the receivedextension module 206 and decrypts the digital signature 207 to producethe first hash. The command processing component 113 compares the firstand second hash, and if they match, the digital signature 207 is valid.If the first and second hash do not match, the command processingcomponent 113 determines that the digital signature 207 is not valid andthe command extension request is rejected.

As shown in FIG. 2B, the extension module 206 is temporarily installedon the controller 115 based at least in part on the successfulvalidation of the digital signature 207. In this manner, the commands ofthe controller 115 may be extended beyond the initial capabilitieswithout having to provide the controller 115 with an updated firmwarepackage and without having to verify an updated firmware package, whichcan be much larger in size that the extension module 206.

In some embodiments, the command processing component 113 may verify asecurity version of the extension module 206 prior to installation. Thesecurity version is used for anti-rollback support (e.g., to prevent avalidly signed extension module from being installed on the device). Forexample, the command processing component 113 may maintain a securityversion counter to track command extension modules that have beeninstalled on the controller 115 and may verify the security version ofthe extension module 206 by performing a comparison of the securityversion with the security version counter. If the security version of adownloaded and verified command extension module is equal to or greaterthan a stored security version counter value maintained by the commandprocessing component 113 (e.g., in a NVM of the memory sub-systemcontroller 115 such as local memory 119), then the downloaded commandextension module can be installed and used. Otherwise, if the securityversion of the module is less than the stored security version, thecommand extension module is rejected by the command processing component113. If the command extension module is accepted, the command processingcomponent 113 updates (e.g., increments) the stored security versionvalue, if the security version of the command extension module isgreater than the currently stored value.

In various other embodiments, a TTL value may be used in addition to orin the alternative to the security version counter to control the lifetime of the command extension module. That is, the command extensionmodule may include a TTL value and once the command extension module isdownloaded and verified, the TTL counter begins to count down. Once theTTL counter reaches zero, the command extension module may be erasedfrom device memory and a new extension module will need to bedownloaded.

With continued reference to FIG. 2B, the host system 120 may send acommand to the controller 115 (e.g., based on input from the user 205).The extension redirect component 114 parses the command and determinesthat the command corresponds to a command type that the extension module206 is capable of and responsible for processing. Based on determiningthe extended command corresponds to the new command type associated withthe extension module 206, the extension redirect component 114 redirectsthe command to the extension module 206 and the extension module 206, inturn, processes the command. In processing the command, the extensionmodule 206 may perform one or more callbacks to the firmware 203 toinvoke functionality provided by the firmware 203.

The extension module 206 is temporarily installed on the controller 115because the extension module 206 is stored on a volatile memory device(e.g., the memory device 130), and thus, the extension module 206 willbe erased upon reboot of the memory sub-system 110. For example, asshown in FIG. 2C the extension module 206 is no longer loaded on thecontroller 115 after a reboot. In another example, the extension module206 may be erased based on expiration of a TTL value associated with theextension module 206. As noted above, command processing component 113will be unable to reinstall the extension module 206 because thesecurity version of the extension module 206 will no longer correspondto the security version counter maintained by the command processingcomponent 113.

FIGS. 3 AND 4 are flow diagrams illustrating an example method 300 fordynamic extension of memory sub-system commands, in accordance with someembodiments of the present disclosure. The method 300 can be performedby processing logic that can include hardware (e.g., a processingdevice, circuitry, dedicated logic, programmable logic, microcode,hardware of a device, an integrated circuit, etc.), software (e.g.,instructions run or executed on a processing device), or a combinationthereof. In some embodiments, the method 300 is performed by the commandprocessing component 113 of FIG. 1. Although processes are shown in aparticular sequence or order, unless otherwise specified, the order ofthe processes can be modified. Thus, the illustrated embodiments shouldbe understood only as examples, and the illustrated processes can beperformed in a different order, and some processes can be performed inparallel. Additionally, one or more processes can be omitted in variousembodiments. Thus, not all processes are required in every embodiment.Other process flows are possible.

Prior to the method 300, an asymmetric public/private key pair—a publickey and a private key—is pre-generated, and the processing device may beprovisioned with or otherwise have access to the public key, while theprivate key is maintained in a separate and distinct secure environment(e.g., operated by an OEM). Further, the processing device includesfirmware that enables the processing device to process a predeterminedset of command types.

At operation 305, the processing device receives a command extensionmodule and a digital signature as part of a command extension request.The command extension module comprises a set of machine-readableinstructions that enables the processing device to process at least onenew command type that is not included in the predetermined set ofcommand types that the firmware enables the processing device toprocess. The digital signature is generated based on the commandextension module using the private key. The signing of the commandextension module with the cryptographic signature may occur in a remoteand secure environment. The digital signature may comprise a asymmetriccryptographic signature generated using a cryptographic algorithm, suchas a Rivest Shamir Adleman (RSA) algorithm. The cryptographic signaturecan be associated with a public key that can be shared with one or moredevices, and a private key that can be shared with a limited number ofdevices. The combination of the public and private keys can be used toverify the integrity of the command extension module using theasymmetric cryptographic algorithm. Consistent with some embodiments,the command extension module may also be encrypted, for example, using asymmetric cryptographic algorithm (e.g., advanced encryption standard(AES)).

The command extension request may be received from the host system 120.In some embodiments, receiving the request includes receiving one ormore commands from the host system via a host system interface. In someembodiments, receiving the request includes receiving the request fromthe host system via a communication port (e.g., a UART port or otherserial communication port that supports two-way communication). In someembodiments, an out of band interface can be used for exchanging databetween the host system 120 and the processing device (e.g., a systemmanagement bus (SMBus) or an Inter-Integrated Circuit (I2C) bus).

The processing device, at operation 310, verifies the digital signatureusing a public key corresponding to the private key. As noted above, theprocessing device is previously provisioned with the public key. Thepublic key may be stored in a key store (e.g., key store 202) maintainedin a non-volatile memory device (e.g., local memory 119 or the memorydevice 140). The combination of the public and private keys can be usedto verify the digital signature based upon one or more cryptographicprocedures. For example, the digital signature may be an asymmetriccryptographic signature that can be verified based upon an asymmetriccryptographic procedure that uses the asymmetric cryptographic algorithmused to generated the signature (e.g., RSA).

In response to a successful validation of the digital signature, theprocessing device temporarily installs the command extension module, atoperation 315. The installing of the command extension module comprisesstoring the command extension module in a volatile memory device (e.g.,the memory device 130). In this manner, the installation of the commandextension module is impermanent because the command extension modulewill be lost on system reboot or expiration of a TTL value.

At operation 320, the processing device receives a command anddetermines the command corresponds to a command type capable of beingprocessed by the command extension module, at operation 325. The commandmay be received from the host system 120 via the host interface.

Based on determining the command corresponds to a command type capableof being processed by the command extension module, the processingdevice forwards the extended command to the command extension module, atoperation 330. More specifically, the processing device may comprise anextension redirect component (e.g., extension redirect component 114)that is responsible for redirecting commands to the command extensionmodule that the command extension module is responsible for processing.The extension redirect component may parse the command to determine itcorresponds to a command type handled by the command extension module.

The command extension module, at operation 335, processes the extendedcommand. The command extension module may perform one or more actions inprocessing the extended command. In some instances, the commandextension module may perform one or more callbacks to the processingdevice for support functions needed to process the extended command.

As shown in FIG. 4, the method 300 may, in some embodiments, includeoperations 311, 312, and 316. Consistent with these embodiments, theoperations 311 and 312 may be performed prior to the operation 315,where the processing device temporarily installs the command extensionmodule.

At operation 311, the processing device determines a security version ofthe command extension module. The security version of the commandextension module may, for example, be included in the command extensionrequest in which the command extension module was included.

At operation 312, the processing device validates the security versionof the command extension module. The processing device validates thesecurity version of the command extension module based on storedinformation used to track command extension modules installed by theprocessing device. For example, the processing device may maintain asecurity version counter to track which command extension modules havebeen installed by the processing device. The processing device maycompare the security version of the command extension module with thesecurity version counter to determine whether the command extensionmodule was previously installed. If the command extension module was notpreviously installed, the processing device successfully validates thesecurity version and installs the extension module based on thesuccessful validations. If the command extension module was previouslyinstalled, processing device determines the security version is invalidand the processing device rejections the command extension request.

Consistent with these embodiments, the operation 316 may be performedsubsequent to operation 315. At operation 316, the processing deviceincrements the security version counter based on installing the commandextension module. As noted above, the security version counter is usedto track which command extension modules have been installed by theprocessing device. After updating the security version counter, thecommand extension module will no longer be able to be installed by theprocessing device.

In various other embodiments, a TTL value may be used in addition to orin the alternative to the security version counter. That is, the commandextension module can specify a TTL value that is used to control thelife time of the extension module. Meaning, once the command extensionmodule is downloaded and verified, the TTL counter begins to count down.Once the TTL counter reaches zero, the extension module is purged fromdevice memory and a new extension module will need to be downloaded.

Example 1 is a system comprising: a volatile memory device comprisingvolatile memory media; and a processing device configured to process aninitial set of command types, the processing device, operatively coupledwith the volatile memory device, to perform operations comprising:receiving a command extension module and a digital signature, thedigital signature being generated based on the command extension moduleusing a private key of a key pair, the command extension module, onceinstalled by the processing device, enabling the processing device toprocess a new command type that is not included in the initial set ofcommand types; verifying the digital signature using a public key of thekey pair; and based on a successful verification of the digitalsignature, temporarily installing the command extension module on thesystem, the temporary install of the command extension module comprisingloading the command extension module in the volatile memory device.

In Example 2, the subject matter of Example 1 optionally comprises anextension redirect component to: receive a command; determine thecommand corresponds to the new command type; and forward the command tothe command extension module based on the command corresponding to thenew command type.

In Example 3, the command extension module of any one or more ofExamples 1 or 2 processes the command.

In Example 4, the command extension module of any one or more ofExamples 1-3 performs one or more callbacks to the firmware inprocessing the command.

In Example 5, the command extension module of any one of Examples 1-4 iserased upon a system reboot or expiration of a TTL value.

In Example 6, the operations of any one or more of Examples 1-5optionally comprise determining a security version of the commandextension module; and validating the security version of the commandextension module based on stored information.

In Example 7, the operations of any one or more of Examples 1-6optionally comprise validating a security version of the commandextension module by comparing the security version of the commandextension module to a security version counter.

In Example 8, the operations of any one or more of Examples 1-7optionally comprise incrementing the security version counter based ontemporarily installing the command extension module.

In Example 9, the subject matter of any one or more of Examples 1-8optionally comprises a non-volatile memory media to store the publickey.

In Example 10, the subject matter of any one or more of Examples 1-9optionally comprises a host interface, wherein the command extensionmodule and digital signature are received via the host interface as partof a command extension request.

In Example 11, the operations of any one or more of Examples 1-10optionally comprise: using an asymmetric cryptographic algorithm toverify the digital signature based on a combination of the public andprivate key.

Example 12 is a method comprising receiving, by a memory sub-systemcontroller comprising one or more processors of a machine, a commandextension module and a digital signature, the digital signature beinggenerated based on the command extension module using a private key of akey pair, the memory sub-system controller comprising firmware thatenables the memory sub-system to process an initial set of commandtypes, the command extension module comprising a set of machine-readableinstructions that, once installed by the memory sub-system controller,enables the memory sub-system controller to process a new command typethat is not included in the initial set of command types; verifying, bythe memory sub-system controller, the digital signature using a publickey of the key pair; and based on a successful verification of thedigital signature, temporarily installing, at the memory sub-systemcontroller, the command extension module, the temporary install of thecommand extension module comprising storing the command extension modulein a volatile memory device of the memory sub-system controller.

In Example 13, the subject matter of Example 1 optionally comprises:determining the command corresponds to the new command type; andforwarding the command to the command extension module based on thecommand corresponding to the new command type.

In Example 14, the subject matter of any one or more of Examples 12 or13 optionally comprises processing the command using the extensioncommand module.

In Example 15, the command extension module of any one of Examples 12-14is erased upon a system reboot.

In Example 16, the subject matter of any one or more of Examples 12-15optionally comprises determining a security version of the commandextension module; and validating the security version of the commandextension module based on stored information.

In Example 17, the operations of any one or more of Examples 12-16optionally comprise validating a security version of the commandextension module by comparing the security version of the commandextension module to a security version counter and incrementing thesecurity version counter based on temporarily installing the commandextension module.

In Example 18, the subject matter of any one or more of Examples 12-17optionally comprises receiving the command extension module and thedigital signature, from a host system, via a host interface, as part ofa command extension request.

In Example 19, the subject matter of any one or more of Examples 12-18optionally comprises: using an asymmetric cryptographic algorithm toverify the digital signature based on a combination of the public andprivate key.

Example 20 is a non-transitory computer-readable storage mediumcomprising instructions that, when executed by a processing device,configure the processing device to perform operations comprising:receiving a command extension module and a digital signature, thedigital signature being generated based on the command extension moduleusing a private key of a key pair, the processing device comprisingfirmware that enables the processing device to process an initial set ofcommand types, the command extension module comprising a set ofmachine-readable instructions, that once installed by the processingdevice, enables the processing device to process a new command type thatis not included in the initial set of command types; verifying thedigital signature using a public key of the key pair; and, based on asuccessful verification of the digital signature, temporarily installingthe command extension module, the temporary install of the commandextension module comprising storing the command extension module in avolatile memory device of the processing device.

FIG. 5 illustrates an example machine in the form of a computer system500 within which a set of instructions can be executed for causing themachine to perform any one or more of the methodologies discussedherein. In some embodiments, the computer system 500 can correspond to ahost system (e.g., the host system 120 of FIG. 1) that includes, iscoupled to, or utilizes a memory sub-system (e.g., the memory sub-system110 of FIG. 1) or can be used to perform the operations of a controller(e.g., to execute an operating system to perform operationscorresponding to the command processing component 113 of FIG. 1). Inalternative embodiments, the machine can be connected (e.g., networked)to other machines in a local area network (LAN), an intranet, anextranet, and/or the Internet. The machine can operate in the capacityof a server or a client machine in client-server network environment, asa peer machine in a peer-to-peer (or distributed) network environment,or as a server or a client machine in a cloud computing infrastructureor environment.

The machine can be a personal computer (PC), a tablet PC, a set-top box(STB), a Personal Digital Assistant (PDA), a cellular telephone, a webappliance, a server, a network router, a switch or bridge, or anymachine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. Further,while a single machine is illustrated, the term “machine” shall also betaken to include any collection of machines that individually or jointlyexecute a set (or multiple sets) of instructions to perform any one ormore of the methodologies discussed herein.

The example computer system 500 includes a processing device 502, a mainmemory 504 (e.g., ROM, flash memory. DRAM such as SDRAM or Rambus DRAM(RDRAM), etc.), a static memory 506 (e.g., flash memory, static randomaccess memory (SRAM), etc.), and a data storage system 518, whichcommunicate with each other via a bus 530.

The processing device 502 represents one or more general-purposeprocessing devices such as a microprocessor, a central processing unit,or the like. More particularly, the processing device 502 can be acomplex instruction set computing (CISC) microprocessor, a reducedinstruction set computing (RISC) microprocessor, a very long instructionword (VLIW) microprocessor, a processor implementing other instructionsets, or processors implementing a combination of instruction sets. Theprocessing device 502 can also be one or more special-purpose processingdevices such as an ASIC, an FPGA, a digital signal processor (DSP), anetwork processor, or the like. The processing device 502 is configuredto execute instructions 525 for performing the operations and stepsdiscussed herein. The computer system 500 can further include a networkinterface device 508 to communicate over a network 520.

The data storage system 518 can include a machine-readable storagemedium 524 (also known as a computer-readable medium) on which is storedone or more sets of instructions 525 or software embodying any one ormore of the methodologies or functions described herein. Theinstructions 525 can also reside, completely or at least partially,within the main memory 504 and/or within the processing device 502during execution thereof by the computer system 500, the main memory 504and the processing device 502 also constituting machine-readable storagemedia. The machine-readable storage medium 524, data storage system 518,and/or main memory 504 can correspond to the memory sub-system 110 ofFIG. 1.

In one embodiment, the instructions 526 include instructions toimplement functionality corresponding to a security component (e.g., thecommand processing component 113 of FIG. 1). While the machine-readablestorage medium 524 is shown in an example embodiment to be a singlemedium, the term “machine-readable storage medium” should be taken toinclude a single medium or multiple media that store the one or moresets of instructions. The term “machine-readable storage medium” shallalso be taken to include any medium that is capable of storing orencoding a set of instructions for execution by the machine and thatcause the machine to perform any one or more of the methodologies of thepresent disclosure. The term “machine-readable storage medium” shallaccordingly be taken to include, but not be limited to, solid-statememories, optical media, and magnetic media.

Some portions of the preceding detailed descriptions have been presentedin terms of algorithms and symbolic representations of operations ondata bits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of operations leading to adesired result. The operations are those requiring physicalmanipulations of physical quantities. Usually, though not necessarily,these quantities take the form of electrical or magnetic signals capableof being stored, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. The presentdisclosure can refer to the action and processes of a computer system,or similar electronic computing device, that manipulates and transformsdata represented as physical (electronic) quantities within the computersystem's registers and memories into other data similarly represented asphysical quantities within the computer system's memories or registersor other such information storage systems.

The present disclosure also relates to an apparatus for performing theoperations herein. This apparatus can be specially constructed for theintended purposes, or it can include a general-purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program can be stored in acomputer-readable storage medium, such as, but not limited to, any typeof disk including floppy disks, optical disks. CD-ROMs, andmagnetic-optical disks; ROMs; RAMs; erasable programmable read-onlymemories (EPROMs); EEPROMs; magnetic or optical cards; or any type ofmedia suitable for storing electronic instructions, each coupled to acomputer system bus.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general-purposesystems can be used with programs in accordance with the teachingsherein, or it can prove convenient to construct a more specializedapparatus to perform the method. The structure for a variety of thesesystems will appear as set forth in the description above. In addition,the present disclosure is not described with reference to any particularprogramming language. It will be appreciated that a variety ofprogramming languages can be used to implement the teachings of thedisclosure as described herein.

The present disclosure can be provided as a computer program product, orsoftware, that can include a machine-readable medium having storedthereon instructions, which can be used to program a computer system (orother electronic devices) to perform a process according to the presentdisclosure. A machine-readable medium includes any mechanism for storinginformation in a form readable by a machine (e.g., a computer). In someembodiments, a machine-readable (e.g., computer-readable) mediumincludes a machine-readable (e.g., a computer-readable) storage mediumsuch as a ROM, a RAM, magnetic disk storage media, optical storagemedia, flash memory components, and so forth.

In the foregoing specification, embodiments of the disclosure have beendescribed with reference to specific example embodiments thereof. Itwill be evident that various modifications can be made thereto withoutdeparting from the broader scope of embodiments of the disclosure as setforth in the following claims. The specification and drawings are,accordingly, to be regarded in an illustrative sense rather than arestrictive sense.

What is claimed is:
 1. A system comprising: a volatile memory device;and a processing device configured to process an initial set of commandtypes, the processing device, operatively coupled with the volatilememory device, configured to perform operations comprising: receiving acommand extension module and a digital signature, the digital signaturebeing generated based on the command extension module using a privatekey of a key pair, the command extension module, once installed by theprocessing device, enabling the processing device to process a newcommand type that is not included in the initial set of command types,the command extension module comprising a time to live (TTL) value;verifying the digital signature using a public key of the key pair;based on a successful verification of the digital signature, temporarilyinstalling the command extension module on the system, the temporarilyinstalling of the command extension module comprising loading thecommand extension module in the volatile memory device; the processingdevice comprising an extension redirect component configured to forwarda command to the command extension module based on the commandcorresponding to the new command type; and the processing device furtherconfigured to erase the command extension module based on expiration ofthe TTL value.
 2. The system of claim 1, wherein the extension redirectcomponent is further configured to: receive the command; and determinethe command corresponds to the new command type.
 3. The system of claim1, wherein the command extension module processes the command.
 4. Thesystem of claim 3, wherein the command extension module performs one ormore callbacks to the processing device in processing the command. 5.The system of claim 1, wherein the command extension module is erasedupon system reboot.
 6. The system of claim 1, wherein the operationsfurther comprise: determining a security version of the commandextension module; and validating the security version of the commandextension module based on stored information.
 7. The system of claim 6,wherein the validating of the security version of the command extensionmodule comprises comparing the security version of the command extensionmodule to a security version counter.
 8. The system of claim 7, whereinthe operations further comprise: incrementing the security versioncounter based on temporarily installing the command extension module. 9.The system of claim 1, further comprising non-volatile memory media tostore the public key.
 10. The system of claim 1, further comprising ahost interface, wherein the command extension module and digitalsignature are received via the host interface as part of a commandextension request.
 11. The system of claim 1, wherein the verifying ofthe digital signature by the processing device comprises using anasymmetric cryptographic algorithm to verify the digital signature basedon a combination of the public and private key.
 12. A method comprising:receiving, by a memory sub-system controller comprising one or moreprocessors of a machine, a command extension module and a digitalsignature, the digital signature being generated based on the commandextension module using a private key of a key pair, the memorysub-system controller comprising firmware that enables the memorysub-system to process an initial set of command types, the commandextension module comprising a set of machine-readable instructions, thatonce installed by the memory sub-system controller, enables the memorysub-system controller to process a new command type that is not includedin the initial set of command types, the command extension modulecomprising a time to live (TTL) value; verifying, by the memorysub-system controller, the digital signature using a public key of thekey pair; based on a successful verification of the digital signature,temporarily installing, at the memory sub-system controller, the commandextension module, the temporarily installing of the command extensionmodule comprising storing the command extension module in a volatilememory device of the memory sub-system controller; forwarding a commandto the command extension module based on the command corresponding tothe new command type; and erasing the command extension module based onexpiration of the TTL value.
 13. The method of claim 12, furthercomprising: receiving the command; and determining the commandcorresponds to the new command type.
 14. The method of claim 12, furthercomprising: processing, by the command extension module, the command.15. The method of claim 12, further comprising: initiating a TTLcountdown upon installing the command extension module; and detectingthe expiration of the TTL value based on the TTL countdown.
 16. Themethod of claim 12, further comprising: determining a security versionof the command extension module; and validating the security version ofthe command extension module based on stored information.
 17. The methodof claim 16, wherein: the validating of the security version of thecommand extension module comprises comparing the security version of thecommand extension module to a security version counter; and the methodfurther comprises: incrementing the security version counter based ontemporarily installing the command extension module.
 18. The method ofclaim 12, the command extension module and digital signature arereceived, from a host system, via a host interface of the memorysub-system controller, as part of a command extension request.
 19. Themethod of claim 12, wherein the verifying of the digital signature bythe processing device comprises using an asymmetric cryptographicalgorithm to verify the digital signature based on a combination of thepublic and private key.
 20. A non-transitory computer-readable storagemedium comprising instructions that, when executed by a processingdevice, configure the processing device to perform operationscomprising: receiving a command extension module and a digitalsignature, the digital signature being generated based on the commandextension module using a private key of a key pair, the processingdevice comprising firmware that enables the processing device to processan initial set of command types, the command extension module comprisinga set of machine-readable instructions, that once installed by theprocessing device, enables the processing device to process a newcommand type that is not included in the initial set of command types,the command extension module comprising a time to live (TTL) value;verifying the digital signature using a public key of the key pair;based on a successful verification of the digital signature, temporarilyinstalling the command extension module, the temporarily installing ofthe command extension module comprising storing the command extensionmodule in a volatile memory device of the processing device; forwardinga command to the command extension module based on the commandcorresponding to the new command type; and erasing the command extensionmodule based on expiration of the TTL value.